There is a trend for new vulnerabilities to be announced with catchy names such as VENOM, FREAK, and BEAST, to name but a few. These are often accompanied by professionally developed websites, a logo and, in some cases, press briefings by the company or security researchers that have found the vulnerability. Memorable names help facilitate easy reference and discussion of the vulnerabilities (e.g. POODLE as opposed to ”Padding Oracle On Downgraded Legacy Encryption” or CVE-2014-3566). Websites, press briefings and press mentions help raise the profile of the companies and security researchers who discover vulnerabilities and can also help bring awareness of these vulnerabilities to senior members of an organisation. However, are these trends really beneficial in the long run?
It is important to keep in mind that the latest vulnerability announced in the press may indeed be catastrophic but, at the same time, it may not affect your organisation at all. In my view, there is a risk that these trends could result in knee jerk reactions that detract from existing, robust processes for vulnerability remediation. A more critical vulnerability that actually affects your organisation may fail to get the attention it needs from the concerned stakeholders if it is not accompanied by the bells and whistles of a fancy name, website and press briefings.
Many companies and security researchers may not have the resources to set up or organise such publicity campaigns and in many cases, may simply be unwilling to do so -preferring to keep a low profile. Attention may then be diverted to vulnerabilities that are supported by hype from well-funded PR campaigns and result in valuable resources being diverted where they are not required. A second risk is that senior members of staff may in time become immune to the regular cycles of media hype surrounding the “latest and best” named vulnerability. This could result in complacency should a critical vulnerability affecting your infrastructure need a co-ordinated and well-funded response.
Organisations should have robust processes in place to identify, assess, prioritise and remediate vulnerabilities. These processes should be based on a good understanding of the risks surrounding the business and a thorough knowledge of the IT infrastructure. These processes will be unique to each organisation and it is important that organisations spend the time and effort necessary to put this in place. A robust process will ensure that all vulnerabilities that come to light, whether accompanied by considerable media hype, more quietly announced on one or more of the established vulnerability databases (e.g. NIST National Vulnerability Database, Common Vulnerabilities and Exposures (CVE) database etc.), or in many cases, communicated directly to your organisation by a security researcher or a malicious hacker, can all be assessed using a common sensible set of criteria and dealt with accordingly. This will ensure that vulnerabilities are assessed methodically and clinically, and that scarce efforts are focused where they are most needed, to maximise the chances of securing your critical business assets and processes.
Contact us to find out more about how to remediate common security
Author: Sriram Srinivasan, 7Safe cyber security specialist.